nixos/guix: add declarative substituters option (#353518)

- `/share/vim-plugins` now only gets linked if `programs.vim.enable` is enabled

- The `services.guix` module now manages trusted substitute servers

  declaratively. Instead of `guix archive --authorize`, list keys with

  `services.guix.substituters.authorizedKeys`. Default substitute servers can be

  set via `services.guix.substituters.urls`.

- The `tracy` package no longer works on X11, since it's moved to Wayland

  support, which is the intended default behavior by Tracy maintainers.

  X11 users have to switch to the new package `tracy-x11`.

    GUIX_LOCPATH = "${cfg.stateDir}/guix/profiles/per-user/root/guix-profile/lib/locale";

    LC_ALL = "C.UTF-8";

  };

  # Currently, this is just done the lazy way with the official Guix script. A

  # more "formal" way would be creating our own Guix script to handle and

  # generate the ACL file ourselves.

  aclFile = pkgs.runCommandLocal "guix-acl" { } ''

    export GUIX_CONFIGURATION_DIRECTORY=./

    for official_server_keys in ${lib.concatStringsSep " " cfg.substituters.authorizedKeys}; do

      ${lib.getExe' cfg.package "guix"} archive --authorize < "$official_server_keys"

    done

    install -Dm0600 ./acl "$out"

  '';

in

{

  meta.maintainers = with lib.maintainers; [ foo-dogsquared ];

      example = "/gnu/var";

    };

    substituters = {

      urls = lib.mkOption {

        type = with lib.types; listOf str;

        default = [

          "https://ci.guix.gnu.org"

          "https://bordeaux.guix.gnu.org"

          "https://berlin.guix.gnu.org"

        ];

        example = lib.literalExpression ''

          options.services.guix.substituters.urls.default ++ [

            "https://guix.example.com"

            "https://guix.example.org"

          ]

        '';

        description = ''

          A list of substitute servers' URLs for the Guix daemon to download

          substitutes from.

        '';

      };

      authorizedKeys = lib.mkOption {

        type = with lib.types; listOf path;

        default = [

          "${cfg.package}/share/guix/ci.guix.gnu.org.pub"

          "${cfg.package}/share/guix/bordeaux.guix.gnu.org.pub"

          "${cfg.package}/share/guix/berlin.guix.gnu.org.pub"

        ];

        defaultText = ''

          The packaged signing keys from {option}`services.guix.package`.

        '';

        example = lib.literalExpression ''

          options.services.guix.substituters.authorizedKeys.default ++ [

            (builtins.fetchurl {

              url = "https://guix.example.com/signing-key.pub";

            })

            (builtins.fetchurl {

              url = "https://guix.example.org/static/signing-key.pub";

            })

          ]

        '';

        description = ''

          A list of signing keys for each substitute server to be authorized as

          a source of substitutes. Without this, the listed substitute servers

          from {option}`services.guix.substituters.urls` would be ignored [with

          some

          exceptions](https://guix.gnu.org/manual/en/html_node/Substitute-Authentication.html).

        '';

      };

    };

    publish = {

      enable = mkEnableOption "substitute server for your Guix store directory";

        script = ''

          ${lib.getExe' package "guix-daemon"} \

            --build-users-group=${cfg.group} \

            ${lib.optionalString (cfg.substituters.urls != [ ])

              "--substitute-urls='${lib.concatStringsSep " " cfg.substituters.urls}'"} \

            ${lib.escapeShellArgs cfg.extraArgs}

        '';

        serviceConfig = {

      # Make transferring files from one store to another easier with the usual

      # case being of most substitutes from the official Guix CI instance.

      system.activationScripts.guix-authorize-keys = ''

        for official_server_keys in ${package}/share/guix/*.pub; do

          ${lib.getExe' package "guix"} archive --authorize < $official_server_keys

        done

      '';

      environment.etc."guix/acl".source = aclFile;

      # Link the usual Guix profiles to the home directory. This is useful in

      # ephemeral setups where only certain part of the filesystem is

        in ''

          [ -d "${userProfile}" ] && ln -sfn "${userProfile}" "${location}"

        '';

        linkProfileToPath = acc: profile: location: let

          in acc + (linkProfile profile location);

        linkProfileToPath = acc: profile: location:

          acc + (linkProfile profile location);

        # This should contain export-only Guix user profiles. The rest of it is

        # handled manually in the activation script.

          Type = "oneshot";

          PrivateDevices = true;

          PrivateNetworks = true;

          PrivateNetwork = true;

          ProtectControlGroups = true;

          ProtectHostname = true;

          ProtectKernelTunables = true;

      services.guix = {

        enable = true;

        extraArgs = [

        # Force to only get all substitutes from the local server. We don't

        # have anything in the Guix store directory and we cannot get

        # anything from the official substitute servers anyways.

          "--substitute-urls='http://server.local:${toString publishPort}'"

        substituters.urls = [ "http://server.local:${toString publishPort}" ];

        extraArgs = [

          # Enable autodiscovery of the substitute servers in the local

          # network. This machine shouldn't need to import the signing key from

          # the substitute server since it is automatically done anyways.